Overview

overview

10

Static

static

1

CMR-714684...if.exe

windows7_x64

10

CMR-714684...if.exe

windows10_x64

10

Analysis

  • max time kernel
    109s
  • max time network
    111s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    28-09-2021 11:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CMR-7146846_PDF.pif.exe

  • Size

    310KB

  • MD5

    71028a6ec414b1642243aa4981a3365f

  • SHA1

    630b016a94f7bee220565d3b9a55a2ae8ef73c5a

  • SHA256

    167d1af8c8c4a185c34d0e65bab348748fb524f3e95c6136324f1e2d7e310918

  • SHA512

    4c403091f4839867d7465e437f30eb3648a114ebf1e16cadbcd4a232f2c9b75fac1ef4d9b7081314eeabb33eb9579ce39373385f122c3104e7a7815c007b790a

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.globalmedical.nl
  • Port:
    587
  • Username:
    vic@globalmedical.nl
  • Password:
    W3oxtsMvzRhJV&eBZoFabwZV

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CMR-7146846_PDF.pif.exe
    "C:\Users\Admin\AppData\Local\Temp\CMR-7146846_PDF.pif.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\AppData\Local\Temp\CMR-7146846_PDF.pif.exe
      "C:\Users\Admin\AppData\Local\Temp\CMR-7146846_PDF.pif.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsk45F5.tmp\agyko.dll
    MD5

    7dc59f4707dae01d8bc589b5764fbd65

    SHA1

    53397fb4fce54937bf30764283934b6573fd63a9

    SHA256

    d8f687ba9eea4e69aeaad9cccafd1ecc9be0b1b09c88ab8a4b5728aba666c903

    SHA512

    f89321e0382ab5ca457f040a3f4d887cae047a5ca00efce4d8a6334e307b07d130788116c30bbd22ca94739fff17e19b2c221958f013de32eac4da86cbfc680e

    Download Submit
  • memory/1032-60-0x0000000075801000-0x0000000075803000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1612-62-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1612-63-0x000000000040188B-mapping.dmp
    Download
  • memory/1612-65-0x0000000001E90000-0x0000000001EC7000-memory.dmp
    Filesize

    220KB

    Download
  • memory/1612-68-0x00000000046D1000-0x00000000046D2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1612-67-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1612-69-0x00000000046D2000-0x00000000046D3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1612-70-0x00000000046D3000-0x00000000046D4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1612-71-0x00000000046D4000-0x00000000046D5000-memory.dmp
    Filesize

    4KB

    Download